2021-10-31 14:40:28 -07:00
|
|
|
/**
|
2023-03-21 03:54:07 -07:00
|
|
|
* Copyright 2023 Google LLC
|
2021-10-31 14:40:28 -07:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
locals {
|
2022-08-09 05:06:30 -07:00
|
|
|
_vpcaccess_annotation = (
|
|
|
|
local.vpc_connector_create
|
|
|
|
? {
|
|
|
|
"run.googleapis.com/vpc-access-connector" = google_vpc_access_connector.connector.0.id
|
|
|
|
}
|
|
|
|
: (
|
2023-04-01 05:06:29 -07:00
|
|
|
var.revision_annotations.vpcaccess_connector == null
|
2022-08-09 05:06:30 -07:00
|
|
|
? {}
|
|
|
|
: {
|
2023-04-01 05:06:29 -07:00
|
|
|
"run.googleapis.com/vpc-access-connector" = (
|
|
|
|
var.revision_annotations.vpcaccess_connector
|
|
|
|
)
|
2022-08-09 05:06:30 -07:00
|
|
|
}
|
|
|
|
)
|
|
|
|
)
|
2022-07-10 02:34:41 -07:00
|
|
|
annotations = merge(
|
|
|
|
var.ingress_settings == null ? {} : {
|
|
|
|
"run.googleapis.com/ingress" = var.ingress_settings
|
2023-08-17 14:36:23 -07:00
|
|
|
},
|
2022-07-13 12:06:28 -07:00
|
|
|
)
|
2022-08-09 05:06:30 -07:00
|
|
|
prefix = var.prefix == null ? "" : "${var.prefix}-"
|
|
|
|
revision_annotations = merge(
|
2023-04-01 05:06:29 -07:00
|
|
|
try(var.revision_annotations.autoscaling, null) == null ? {} : {
|
|
|
|
"autoscaling.knative.dev/maxScale" = (
|
|
|
|
var.revision_annotations.autoscaling.max_scale
|
|
|
|
)
|
2022-07-10 02:34:41 -07:00
|
|
|
},
|
2022-08-23 08:43:07 -07:00
|
|
|
try(var.revision_annotations.autoscaling.min_scale, null) == null ? {} : {
|
2023-04-01 05:06:29 -07:00
|
|
|
"autoscaling.knative.dev/minScale" = (
|
|
|
|
var.revision_annotations.autoscaling.min_scale
|
|
|
|
)
|
2022-08-23 08:43:07 -07:00
|
|
|
},
|
2023-04-01 05:06:29 -07:00
|
|
|
length(var.revision_annotations.cloudsql_instances) == 0 ? {} : {
|
|
|
|
"run.googleapis.com/cloudsql-instances" = (
|
|
|
|
join(",", var.revision_annotations.cloudsql_instances)
|
|
|
|
)
|
2022-08-09 05:06:30 -07:00
|
|
|
},
|
|
|
|
local._vpcaccess_annotation,
|
2023-04-01 05:06:29 -07:00
|
|
|
var.revision_annotations.vpcaccess_egress == null ? {} : {
|
|
|
|
"run.googleapis.com/vpc-access-egress" = (
|
|
|
|
var.revision_annotations.vpcaccess_egress
|
|
|
|
)
|
2022-08-09 05:06:30 -07:00
|
|
|
},
|
2023-08-09 14:04:16 -07:00
|
|
|
var.gen2_execution_environment ? {
|
|
|
|
"run.googleapis.com/execution-environment" = "gen2"
|
|
|
|
} : {},
|
2023-08-18 05:45:42 -07:00
|
|
|
var.startup_cpu_boost ? {
|
|
|
|
"run.googleapis.com/startup-cpu-boost" = "true"
|
|
|
|
} : {},
|
2022-08-09 05:06:30 -07:00
|
|
|
)
|
|
|
|
revision_name = (
|
|
|
|
try(var.revision_name, null) == null
|
|
|
|
? null
|
|
|
|
: "${var.name}-${var.revision_name}"
|
2022-07-10 02:34:41 -07:00
|
|
|
)
|
2021-10-31 14:40:28 -07:00
|
|
|
service_account_email = (
|
|
|
|
var.service_account_create
|
|
|
|
? (
|
|
|
|
length(google_service_account.service_account) > 0
|
|
|
|
? google_service_account.service_account[0].email
|
|
|
|
: null
|
|
|
|
)
|
|
|
|
: var.service_account
|
|
|
|
)
|
2023-08-22 00:23:49 -07:00
|
|
|
trigger_sa_create = try(
|
|
|
|
var.eventarc_triggers.service_account_create, false
|
|
|
|
)
|
|
|
|
trigger_sa_email = try(
|
|
|
|
google_service_account.trigger_service_account[0].email, null
|
2023-05-30 07:49:14 -07:00
|
|
|
)
|
2022-08-09 05:06:30 -07:00
|
|
|
vpc_connector_create = var.vpc_connector_create != null
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_vpc_access_connector" "connector" {
|
2023-04-01 05:06:29 -07:00
|
|
|
count = local.vpc_connector_create ? 1 : 0
|
|
|
|
project = var.project_id
|
|
|
|
name = (
|
|
|
|
var.vpc_connector_create.name != null
|
|
|
|
? var.vpc_connector_create.name
|
|
|
|
: var.name
|
|
|
|
)
|
|
|
|
region = var.region
|
|
|
|
ip_cidr_range = var.vpc_connector_create.ip_cidr_range
|
|
|
|
network = var.vpc_connector_create.vpc_self_link
|
|
|
|
machine_type = var.vpc_connector_create.machine_type
|
|
|
|
max_instances = var.vpc_connector_create.instances.max
|
|
|
|
max_throughput = var.vpc_connector_create.throughput.max
|
|
|
|
min_instances = var.vpc_connector_create.instances.min
|
|
|
|
min_throughput = var.vpc_connector_create.throughput.min
|
2023-05-05 09:15:19 -07:00
|
|
|
subnet {
|
|
|
|
name = var.vpc_connector_create.subnet.name
|
|
|
|
project_id = var.vpc_connector_create.subnet.project_id
|
|
|
|
}
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_cloud_run_service" "service" {
|
|
|
|
provider = google-beta
|
|
|
|
project = var.project_id
|
|
|
|
location = var.region
|
|
|
|
name = "${local.prefix}${var.name}"
|
|
|
|
|
|
|
|
template {
|
|
|
|
spec {
|
2023-04-01 05:06:29 -07:00
|
|
|
container_concurrency = var.container_concurrency
|
|
|
|
service_account_name = local.service_account_email
|
|
|
|
timeout_seconds = var.timeout_seconds
|
2021-10-31 14:40:28 -07:00
|
|
|
dynamic "containers" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = var.containers
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2022-08-09 05:06:30 -07:00
|
|
|
image = containers.value.image
|
2023-04-01 05:06:29 -07:00
|
|
|
args = containers.value.args
|
|
|
|
command = containers.value.command
|
2021-10-31 14:40:28 -07:00
|
|
|
dynamic "env" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = containers.value.env
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
|
|
|
name = env.key
|
|
|
|
value = env.value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dynamic "env" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = containers.value.env_from_key
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
|
|
|
name = env.key
|
|
|
|
value_from {
|
|
|
|
secret_key_ref {
|
2022-08-09 05:06:30 -07:00
|
|
|
key = env.value.key
|
2023-04-01 05:06:29 -07:00
|
|
|
name = env.value.name
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2023-04-01 05:06:29 -07:00
|
|
|
dynamic "liveness_probe" {
|
|
|
|
for_each = containers.value.liveness_probe == null ? [] : [""]
|
|
|
|
content {
|
|
|
|
failure_threshold = containers.value.liveness_probe.failure_threshold
|
|
|
|
initial_delay_seconds = containers.value.liveness_probe.initial_delay_seconds
|
|
|
|
period_seconds = containers.value.liveness_probe.period_seconds
|
|
|
|
timeout_seconds = containers.value.liveness_probe.timeout_seconds
|
|
|
|
dynamic "grpc" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.liveness_probe.action.grpc == null ? [] : [""]
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
port = containers.value.liveness_probe.action.grpc.port
|
|
|
|
service = containers.value.liveness_probe.action.grpc.service
|
|
|
|
}
|
2022-07-10 02:34:41 -07:00
|
|
|
}
|
2023-04-01 05:06:29 -07:00
|
|
|
dynamic "http_get" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.liveness_probe.action.http_get == null ? [] : [""]
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
path = containers.value.liveness_probe.action.http_get.path
|
|
|
|
dynamic "http_headers" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.liveness_probe.action.http_get.http_headers
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
name = http_headers.key
|
|
|
|
value = http_headers.value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dynamic "ports" {
|
|
|
|
for_each = containers.value.ports
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2023-04-01 05:06:29 -07:00
|
|
|
container_port = ports.value.container_port
|
2022-08-09 05:06:30 -07:00
|
|
|
name = ports.value.name
|
|
|
|
protocol = ports.value.protocol
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
dynamic "resources" {
|
2022-08-09 05:06:30 -07:00
|
|
|
for_each = containers.value.resources == null ? [] : [""]
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2022-08-09 05:06:30 -07:00
|
|
|
limits = containers.value.resources.limits
|
|
|
|
requests = containers.value.resources.requests
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
2023-04-01 05:06:29 -07:00
|
|
|
dynamic "startup_probe" {
|
|
|
|
for_each = containers.value.startup_probe == null ? [] : [""]
|
|
|
|
content {
|
|
|
|
failure_threshold = containers.value.startup_probe.failure_threshold
|
|
|
|
initial_delay_seconds = containers.value.startup_probe.initial_delay_seconds
|
|
|
|
period_seconds = containers.value.startup_probe.period_seconds
|
|
|
|
timeout_seconds = containers.value.startup_probe.timeout_seconds
|
|
|
|
dynamic "grpc" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.startup_probe.action.grpc == null ? [] : [""]
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
port = containers.value.startup_probe.action.grpc.port
|
|
|
|
service = containers.value.startup_probe.action.grpc.service
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dynamic "http_get" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.startup_probe.action.http_get == null ? [] : [""]
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
path = containers.value.startup_probe.action.http_get.path
|
|
|
|
dynamic "http_headers" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.startup_probe.action.http_get.http_headers
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
name = http_headers.key
|
|
|
|
value = http_headers.value
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dynamic "tcp_socket" {
|
|
|
|
for_each = (
|
|
|
|
containers.value.startup_probe.action.tcp_socket == null ? [] : [""]
|
|
|
|
)
|
|
|
|
content {
|
|
|
|
port = containers.value.startup_probe.action.tcp_socket.port
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-10-31 14:40:28 -07:00
|
|
|
dynamic "volume_mounts" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = containers.value.volume_mounts
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2021-11-01 11:12:39 -07:00
|
|
|
name = volume_mounts.key
|
|
|
|
mount_path = volume_mounts.value
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
dynamic "volumes" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = var.volumes
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2023-04-01 05:06:29 -07:00
|
|
|
name = volumes.key
|
2021-10-31 14:40:28 -07:00
|
|
|
secret {
|
2023-04-01 05:06:29 -07:00
|
|
|
secret_name = volumes.value.secret_name
|
|
|
|
default_mode = volumes.value.default_mode
|
2021-10-31 14:40:28 -07:00
|
|
|
dynamic "items" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = volumes.value.items
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2023-04-01 05:06:29 -07:00
|
|
|
key = items.key
|
2022-08-09 05:06:30 -07:00
|
|
|
path = items.value.path
|
2023-04-01 05:06:29 -07:00
|
|
|
mode = items.value.mode
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2022-07-13 12:06:28 -07:00
|
|
|
metadata {
|
|
|
|
name = local.revision_name
|
2022-08-09 05:06:30 -07:00
|
|
|
annotations = local.revision_annotations
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
metadata {
|
|
|
|
annotations = local.annotations
|
2023-04-10 20:06:13 -07:00
|
|
|
labels = var.labels
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
dynamic "traffic" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = var.traffic
|
2021-10-31 14:40:28 -07:00
|
|
|
content {
|
2023-04-01 05:06:29 -07:00
|
|
|
percent = traffic.value.percent
|
|
|
|
latest_revision = traffic.value.latest == true
|
|
|
|
revision_name = (
|
|
|
|
traffic.value.latest == true
|
|
|
|
? null
|
|
|
|
: "${var.name}-${traffic.key}"
|
|
|
|
)
|
|
|
|
tag = traffic.value.tag
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-03-21 03:54:07 -07:00
|
|
|
lifecycle {
|
|
|
|
ignore_changes = [
|
2023-06-13 00:18:08 -07:00
|
|
|
metadata.0.annotations["run.googleapis.com/operation-id"],
|
|
|
|
template.0.metadata.0.labels["run.googleapis.com/startupProbeType"]
|
2023-03-21 03:54:07 -07:00
|
|
|
]
|
|
|
|
}
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_cloud_run_service_iam_binding" "binding" {
|
2023-08-22 00:23:49 -07:00
|
|
|
for_each = var.iam
|
2021-10-31 14:40:28 -07:00
|
|
|
project = google_cloud_run_service.service.project
|
|
|
|
location = google_cloud_run_service.service.location
|
|
|
|
service = google_cloud_run_service.service.name
|
|
|
|
role = each.key
|
2023-08-22 00:23:49 -07:00
|
|
|
members = (
|
|
|
|
each.key != "roles/run.invoker" || !local.trigger_sa_create
|
|
|
|
? each.value
|
|
|
|
# if invoker role is present and we create trigger sa, add it as member
|
|
|
|
: concat(
|
|
|
|
each.value, ["serviceAccount:${local.trigger_sa_email}"]
|
|
|
|
)
|
|
|
|
)
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_cloud_run_service_iam_member" "default" {
|
|
|
|
# if authoritative invoker role is not present and we create trigger sa
|
|
|
|
# use additive binding to grant it the role
|
|
|
|
count = (
|
|
|
|
lookup(var.iam, "roles/run.invoker", null) == null &&
|
|
|
|
local.trigger_sa_create
|
|
|
|
) ? 1 : 0
|
|
|
|
project = google_cloud_run_service.service.project
|
|
|
|
location = google_cloud_run_service.service.location
|
|
|
|
service = google_cloud_run_service.service.name
|
|
|
|
role = "roles/run.invoker"
|
|
|
|
member = "serviceAccount:${local.trigger_sa_email}"
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_service_account" "service_account" {
|
|
|
|
count = var.service_account_create ? 1 : 0
|
|
|
|
project = var.project_id
|
|
|
|
account_id = "tf-cr-${var.name}"
|
|
|
|
display_name = "Terraform Cloud Run ${var.name}."
|
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_eventarc_trigger" "audit_log_triggers" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = var.eventarc_triggers.audit_log
|
|
|
|
name = "${local.prefix}audit-log-${each.key}"
|
2021-10-31 14:40:28 -07:00
|
|
|
location = google_cloud_run_service.service.location
|
|
|
|
project = google_cloud_run_service.service.project
|
|
|
|
matching_criteria {
|
|
|
|
attribute = "type"
|
|
|
|
value = "google.cloud.audit.log.v1.written"
|
|
|
|
}
|
|
|
|
matching_criteria {
|
|
|
|
attribute = "serviceName"
|
2023-04-01 05:06:29 -07:00
|
|
|
value = each.value.service
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
matching_criteria {
|
|
|
|
attribute = "methodName"
|
2023-04-01 05:06:29 -07:00
|
|
|
value = each.value.method
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
destination {
|
|
|
|
cloud_run_service {
|
|
|
|
service = google_cloud_run_service.service.name
|
|
|
|
region = google_cloud_run_service.service.location
|
|
|
|
}
|
|
|
|
}
|
2023-08-22 00:23:49 -07:00
|
|
|
service_account = local.trigger_sa_email
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_eventarc_trigger" "pubsub_triggers" {
|
2023-04-01 05:06:29 -07:00
|
|
|
for_each = var.eventarc_triggers.pubsub
|
|
|
|
name = "${local.prefix}pubsub-${each.key}"
|
2021-10-31 14:40:28 -07:00
|
|
|
location = google_cloud_run_service.service.location
|
|
|
|
project = google_cloud_run_service.service.project
|
|
|
|
matching_criteria {
|
|
|
|
attribute = "type"
|
|
|
|
value = "google.cloud.pubsub.topic.v1.messagePublished"
|
|
|
|
}
|
2023-04-01 05:06:29 -07:00
|
|
|
transport {
|
|
|
|
pubsub {
|
|
|
|
topic = each.value
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|
|
|
|
}
|
|
|
|
destination {
|
|
|
|
cloud_run_service {
|
|
|
|
service = google_cloud_run_service.service.name
|
|
|
|
region = google_cloud_run_service.service.location
|
|
|
|
}
|
|
|
|
}
|
2023-08-22 00:23:49 -07:00
|
|
|
service_account = local.trigger_sa_email
|
2023-05-30 07:49:14 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
resource "google_service_account" "trigger_service_account" {
|
2023-08-22 00:23:49 -07:00
|
|
|
count = local.trigger_sa_create ? 1 : 0
|
2023-05-30 07:49:14 -07:00
|
|
|
project = var.project_id
|
|
|
|
account_id = "tf-cr-trigger-${var.name}"
|
|
|
|
display_name = "Terraform trigger for Cloud Run ${var.name}."
|
2021-10-31 14:40:28 -07:00
|
|
|
}
|